question: Lock authentication to specific IP addresses

greenpau / caddy-security

🔐 Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. 💎 Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. 💎 Authorization with JWT/PASETO tokens. 🔐

https://authcrunch.com/

Apache License 2.0

1.45k stars 71 forks source link

question: Lock authentication to specific IP addresses #360

Open Gunni opened 2 weeks ago

Gunni commented 2 weeks ago

I am using SAML auth with Entra ID/Azure AD, but I want to prevent anyone not on a specific IP (or multiple IPs/CIDRs) from trying to authenticate or access the webserver.

How can I do that?

Defense in depth.

I used to have something like

@blocked not remote_ip <ip1> <ip2> <ip3>
respond @blocked "Nope" 403

But then I added caddy-security and it stopped working. I can get exact config on Monday.

greenpau commented 2 weeks ago

@Gunni , not sure whether I understand the use case and how it is related to this plugin.

Gunni commented 2 weeks ago

Basically:

check if user in in access list
check saml/redirect user
forward request to reverse proxy

In that order. Again if i need to post config, i can do it on Monday.

greenpau commented 2 weeks ago

In that order. Again if i need to post config, i can do it on Monday.

@Gunni , let's see your config.

Gunni commented 2 weeks ago

Here it is: https://gist.github.com/Gunni/c00b0eab5115eed846e04b66dfa85662